[syslog-ng] [Bug 93] New: filter() functionality between 2.1 to 3.0 not consistent

Alan McKinnon Alan.McKinnon at is.co.za
Tue Sep 21 16:35:20 CEST 2010


I think you are running into the changed definitions of match() between 2.0 
and 3.0

http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-
admin-en.html/reference_filters.html

especially match() and message()

Of your samples, the 3rd and 4th should work. What is the full config that 
applies to how you use this filter? Are you perhaps applying two filters? Be 
careful with that - filters are always ANDed in a log statement, not ORed.






On Tuesday 21 September 2010 16:16:57 bugzilla at bugzilla.balabit.com wrote:
> https://bugzilla.balabit.com/show_bug.cgi?id=93
> 
>            Summary: filter() functionality between 2.1 to 3.0 not
> consistent Product: syslog-ng
>            Version: 3.0.x
>           Platform: PC
>         OS/Version: Linux
>             Status: NEW
>           Severity: major
>           Priority: unspecified
>          Component: syslog-ng
>         AssignedTo: bazsi at balabit.hu
>         ReportedBy: mworsham at scires.com
> Type of the Report: bug
>    Estimated Hours: 0.0
> 
> 
> In the older syslong-ng v2.1, this line works perfectly:
> 
> filter M_audit   { not match("Audit daemon rotating log files"); };
> 
> Under 3.0.8, none of the following are working (if added one line at a
> time) and the daemon restarted:
> 
> filter M_audit  { not match("Audit daemon rotating log files"
> value("MSGONLY") flags(ignore-case)); }; filter M_audit  { not
> match("MSGONLY" value("Audit daemon rotating log files")
> flags(ignore-case)); }; filter M_audit  { not match("Audit daemon rotating
> log files" value(MSGONLY) flags(ignore-case)); }; filter M_audit  { not
> match("Audit daemon rotating log files" value(MSGONLY)); }; filter M_audit
>  { not match("MSGONLY" value("Audit daemon rotating log files")); };
> 
> What I am looking to do is if any incoming data has the following keywords
> (i.e. "Audit daemon rotating log files") being detected, it should be
> filtered (i.e. dropped), and then not show up in the actual message log
> file.
> 
> For example, if I go over on the syslog-ng client and do 'logger daemon':
>       - The older v2.1 syslog-ng server detects the embedded keyword and
> drops the message. <-- This is correct - On the v3.0.8, the message passes
> through and found in the data file. <-- This is incorrect
> 
> Attempted to use the following URLs to correct the formatting, but it still
> not working: -
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gu
> ide-admin-en.html/configuring_filters.html -
> http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-gu
> ide-admin-en.html/reference_macros.html

-- 
Alan McKinnon
Systems Engineer^W Technician
Infrastructure Services
Internet Solutions

+27 11 575 7585

Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers at is.co.za and a copy will be emailed to you.


More information about the syslog-ng mailing list